[Firewall] Drop rule from address-list not working.

kwagga · August 26, 2013, 8:15am

Hi Guys,

I’m trying to drop incoming connections to my router, which are not listed in a address list, but for some reason the below rule isn’t working.

What am I missing?

Any help would be greatly appreciated!

Firewall Filter:

0 ;;; Drop SSH connection from Non-RSA IP’s
chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS src-port=22

Firewall Address Lists:

LIST ADDRESS

0 RSA-IP-BLOCKS 1 RSA-IP-BLOCKS 2 RSA-IP-BLOCKS 3 RSA-IP-BLOCKS 4 RSA-IP-BLOCKS 5 RSA-IP-BLOCKS 6 RSA-IP-BLOCKS 7 RSA-IP-BLOCKS 8 RSA-IP-BLOCKS 9 RSA-IP-BLOCKS 10 RSA-IP-BLOCKS 11 RSA-IP-BLOCKS 12 RSA-IP-BLOCKS 13 RSA-IP-BLOCKS 14 RSA-IP-BLOCKS 15 RSA-IP-BLOCKS 16 RSA-IP-BLOCKS 17 RSA-IP-BLOCKS 18 RSA-IP-BLOCKS 19 RSA-IP-BLOCKS 20 RSA-IP-BLOCKS [SNIP] 41.0.0.0/11
41.48.0.0/13
41.56.0.0/16
41.57.0.0/18
41.57.112.0/22
41.57.128.0/18
41.61.0.0/16
41.63.64.0/18
41.66.64.0/18
41.66.128.0/18
41.71.0.0/17
41.72.128.0/19
41.73.32.0/19
41.74.96.0/20
41.74.144.0/20
41.74.176.0/20
41.74.192.0/20
41.74.224.0/20
41.75.96.0/20
41.75.128.0/20
41.75.224.0/20

LOG:
09:59:43 system,error,critical login failure for user someuser from 78.47.79.193 via ssh

78.0.0.0 is definitely not a South African IP range.

balanila · August 26, 2013, 8:20am

maybe dst-port=22 ?

kwagga · August 26, 2013, 8:42am

Strange, I orginally used dst-port and it didn’t seem to work… but after trying from a different international IP, now it works… Maybe I just wasn’t paying attention.

Anyhow, It’s working now.

If anyone knows of a better/optimized way to do the above, please let me know!

I originally had SSH blacklist rules (obtained from Mikrotik site) but after the recent spades of ssh attempts on my router from several different IP’s, simple SSH blacklisting won’t work as well.

kwagga · August 26, 2013, 9:14am

For those who wish to filter SSH (or anything else) connections based on geographic IP addresses…

Here is the command:

/ip firewall filter add chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS in-interface=all-ppp dst-port=22

Be sure to name your address lists and WAN interface to something else.

The above rule will filter/drop inbound IP’s, that are NOT in the address list.

To obtain the country IP address blocks, just to a Google search, but here is one of the many sites out there: http://ipinfodb.com/ip_country_block.php

To import the lists, there are several scripts on the Mikrotik site that can help, otherwise PM me.

AndreasA · March 28, 2023, 9:21am

Another vendor that allows you to get plenty of information of an IP address is ipbase.com. You need an API key but there is a free plan with 150 requests per month.